Child domain controller lacks administrative rights
We have two domains with a parent-child relationship. All client desktops are connected to the parent domain. I have an application that will be installed from the child domain to the desktop clients. The problem I am facing now is the child domain controller does not have administrator rights to the client computers. I checked from the child domain controller by giving computer1c$ when it was asking for username and password, whereas when doing the same thing from the parent I can list the contents. Our environment is with Windows 2000 Server and Win2000 Professional as clients. The client application has to be installed on a domain controller, and we want to separate it from the main domain controller.
The child domain accounts do not inherently have permissions in the parent domain. However, if the application that you are using needs to have administrative rights you can put the applications service account name in the local administrators group on the workstations. If you have multiple accounts that need to be local administrators from multiple domains you can also utilize the UNIVERSAL groups. UNIVERSAL groups can contain members from both domains and have a scope of the entire forest. You can then put the UNIV group into the local administrators group on every workstation. In the future, if you need to give techies or other service accounts access you can just add them into the UNIV group.
Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.
This was first published in November 2004